On 17. Juni 2014 at 23:56:43, Zack Weinberg (zackw@cmu.edu) wrote:
Why do you disable directory mirroring? It's my understanding that this should basically always be on.
Not sure why, I think at the beginning I wanted to use the ‘minimal’ config, and I didn’t even now about directory services, but please keep in mind I’m still missing the big Tor picture and many things are new to me That’s actually one of the reasons for this thread: if you think such and such configuration should be defaulted, or available as a custom parameter, well, please say so :)
It would be nice if exit-relay mode enabled an HTTP "exit notice" as described at https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment.
Point 4 says: "If you run your DirPort on port 80”. Should it be enabled only when DirPort = 80?
Tor relays get pounded on by the script kiddies -- a degree of hardening is appropriate. I don't know if there are any stock Puppet "tighten security" modules but these are the things that I remember having done to mine. Note that my relays serve no other traffic and have no non-root user accounts; some of these configuration choices may be inappropriate for multi-use machines.
I don’t know of any such ‘security silver bullet module’ I am afraid :)
About the security enhancements, they are definitely interesting, but to me seems they are out of the scope of the ‘install relay’ Puppet module itself, and also against the usual modular approach of Puppet modules. First, my understanding is that having a node with only Tor running is suggested, but not mandatory, but in any case, those enhancements are more suitable for a separate 'tor-security’ like module that one may or may not be interested in.
-- Alexander Fortin http://about.me/alexanderfortin